Fix possible string overrun in node.c:is_hex.

2 files changed, 10 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index eaecc5ca..a1bfc3a3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
 2017-01-26         Andrew J. Schorr     <aschorr@telemetry-investments.com>
 
+	* node.c (is_hex): Add a new argument pointing to the end of the string
+	so we can check for string overrun.
+	(r_force_number): Pass string end to is_hex.
+
+2017-01-26         Andrew J. Schorr     <aschorr@telemetry-investments.com>
+
 	* awk.h (get_numbase): Add string length argument so we can operate
 	on unterminated strings.
 	* awkgram.y: Call get_numbase with string length, and fix off-by-one
diff --git a/node.c b/node.c
index abeadc34..962a650d 100644
--- a/node.c
+++ b/node.c
@@ -41,12 +41,13 @@ int (*cmp_numbers)(const NODE *, const NODE *) = cmp_awknums;
 /* is_hex --- return true if a string looks like a hex value */
 
 static bool
-is_hex(const char *str)
+is_hex(const char *str, const char *cpend)
 {
+	/* on entry, we know the string length is >= 1 */
 	if (*str == '-' || *str == '+')
 		str++;
 
-	if (str[0] == '0' && (str[1] == 'x' || str[1] == 'X'))
+	if (str + 1 < cpend && str[0] == '0' && (str[1] == 'x' || str[1] == 'X'))
 		return true;
 
 	return false;
@@ -113,7 +114,7 @@ r_force_number(NODE *n)
 	if (   (! do_posix		/* not POSIXLY paranoid and */
 	        && (is_alpha((unsigned char) *cp)	/* letter, or */
 					/* CANNOT do non-decimal and saw 0x */
-		    || (! do_non_decimal_data && is_hex(cp))))) {
+		    || (! do_non_decimal_data && is_hex(cp, cpend))))) {
 		goto badnum;
 	}